0 Replies Latest reply on Feb 16, 2016 3:27 PM by rbroom

    Search / Alarm on Snort Rule ID?

    rbroom

      I'm trying to perform searches and set alarms based on a specific Snort rule ID.  I have the rule ID from the Snort sensor, but it doesn't always seem to map to the "Signature ID" in Nitro.

       

      We can take a basic Sourcefire rule: 1:13359:7 ("APP-DETECT failed IMAP login attempt - invalid username/password").  I would have thought this translates to a Signature ID of 1-13359, but that's not the case.  It seems to be something like 38-3016359, but the conversion appears random.

       

      Can I get a recommendation on how to translate a Snort rule ID into a Signature ID for my purposes?

       

      Thank you.